How to change laravel sanctum return "message": "Unauthenticated."

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company

Mastering Sanctum Responses: How to Return Structured 401 Errors in Laravel

As developers building modern APIs with Laravel and Sanctum, we often deal with authentication failures. While it's easy to get a simple error message like {"message": "Unauthenticated."}, for robust API design, especially when interacting with frontends or other services, we need much more structured feedback. Simply returning a string doesn't convey the necessary HTTP status code or clear failure state required by RESTful principles.

This post will walk you through the correct, developer-focused way to intercept Sanctum’s unauthenticated responses and format them into standardized JSON error objects, moving from simple messages to rich, actionable data.

The Pitfall of Simple Messages

When an API endpoint encounters an authentication issue (e.g., a token is missing or invalid), the default behavior might return a message string. While functional for debugging, this approach lacks the crucial context needed by consuming applications. A client needs to know why the request failed and what HTTP status code it corresponds to.

For example, receiving just {"message": "Unauthenticated."} forces the client to infer that this is an error, but it doesn't explicitly signal a 401 Unauthorized status, which is the correct semantic response for authentication failures in HTTP.

Implementing Structured Error Handling

To achieve the desired output—like {"status_code": 401, "success": false, "message": "Unauthenticated."}—we need to implement custom logic that intercepts the failure and manually constructs the standardized JSON response using the appropriate HTTP status code. This is a fundamental practice when building robust APIs on top of frameworks like Laravel.

The most effective place to implement this logic is usually within your authentication middleware or directly in the controller layer where the authorization check occurs.

Step-by-Step Implementation Example

Let’s assume you have an API route protected by Sanctum, and you need to handle the case where the token verification fails.

1. Define a Custom Error Response Class (Best Practice):
Instead of scattering this logic everywhere, creating a dedicated response structure makes your API predictable.

// app/Http/Responses/ApiErrorResponse.php
namespace App\Http\Responses;

class ApiErrorResponse
{
    public function __construct(
        public int $statusCode,
        public bool $success,
        public string $message
    ) {}

    public function toArray(): array
    {
        return [
            'status_code' => $this->statusCode,
            'success' => $this->success,
            'message' => $this->message,
        ];
    }
}

2. Intercepting the Sanctum Failure in Your Controller:
In your controller method, when you check for the authenticated user, instead of letting an internal exception bubble up, catch the failure and return your structured response.

use Illuminate\Http\Request;
use App\Http\Responses\ApiErrorResponse;

class MyApiController extends Controller
{
    public function getProtectedData(Request $request)
    {
        // Attempt to get the authenticated user using Sanctum
        if (!$request->user()) {
            // Handle the unauthenticated case with a standardized response
            $errorResponse = new ApiErrorResponse(
                401, // HTTP Status Code for Unauthorized
                false,
                'Unauthenticated.'
            );
            return response()->json($errorResponse->toArray(), 401);
        }

        // If authenticated, proceed with the actual logic
        $user = $request->user();
        // ... fetch data ...
        return response()->json(['data' => $user], 200);
    }
}

Why This Approach Matters for Laravel Development

This pattern moves you away from simple string responses and embraces proper HTTP semantics. When working within the Laravel ecosystem, building APIs that strictly adhere to REST principles is crucial. As seen in how powerful Laravel’s Eloquent ORM and middleware systems are, structuring your outputs correctly ensures that any service consuming your API can reliably parse errors without needing complex custom parsing logic on their end.

By implementing this structured error handling, you provide clients with transparent information: the status code immediately tells them what happened (401), and the body provides the detailed context (success: false, message: Unauthenticated.). This makes your API significantly more professional, easier to debug, and far more scalable—a core tenet of effective application development seen across the entire Laravel community.

Conclusion

Switching from simple message responses to structured error objects is a necessary evolution for any serious API development. By manually crafting JSON responses that include explicit status codes (like 401) alongside detailed messages, you ensure your Laravel Sanctum integration provides a robust, predictable, and highly usable experience for all your consuming applications. Focus on standardized responses; it’s the key to building enterprise-grade APIs.